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Abstract 

We extend the theory of labeled Markov processes with internal nondeterminism, a 
fundamental concept for the further development of a process theory with abstraction 
on nondeterministic continuous probabilistic systems. We define nondeterministic la- 
beled Markov processes (NLMP) and provide three definition of bisimulations: a bisim- 
ulation following a traditional characterization, a state based bisimulation tailored to 
our "measurable" non-determinism, and an event based bisimulation. We show the 
relation between them, including that the largest state bisimulation is also an event 
bisimulation. We also introduce a variation of the Hennessy-Milner logic that charac- 
terizes event bisimulation and that is sound w.r.t. the other bisimulations for arbitrary 
NLMP. This logic, however, is infinitary as it contains a denumerable V. We then 
introduce a finitary sublogic that characterize all bisimulations for image finite NLMP 
whose underlying measure space is also analytic. Hence, in this setting, all notions 
of bisimulation we deal with turn out to be equal. Finally, we show that all notions 
of bisimulations are different in the general case. The counterexamples that separate 
them turn to be non-probabilistic NLMP. 

1 Introduction 

Markov processes with continuous-state spaces or continuous time evolution (or both) arise 
naturally in several fields of physics, biology, economics, and computer science (Danos et al. 
2006). Many formal frameworks have been defined to study them from a process theory 
or process algebra perspective (see Strulo 1993; Dcsharnais 1999; D'Argenio 1999; Bravetti 
2002; Desharnais et al. 2002; Bravetti and D'Argenio 2004; D'Argenio and Katocn 2005; 
Cattani 2005; Cattani et al. 2005; Danos et al. 2006). A prominent and extensive work on 
this area is the one that builds on top of the so called labeled Markov processes (LMP) 
(Desharnais 1999; Desharnais et al. 2002). This is due to its solid and well understood 
mathematical foundations. A LMP allows for many transition probability functions (or 
Markov kernels) leaving each state (instead of only one as in usual Markov processes) . Each 
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transition probability function is a measure ranging on a (possibly continuous) measurable 
space, and the different transition probability functions can be singled out through labels. 
Thus this model does not consider internal nondctcrminism. From the process algebra 
point of view, this is a significant drawback for this theory since internal nondeterminism 
immediately arises in the analysis of systems, e.g., because of abstracting internal activity 
(such as weak bisimulation (Milncr 1989)) or because of state abstraction techniques (such 
as in model checking (Clarke ct al. 1999)). 

Many other works defined variants of continuous Markov processes that include internal 
nondeterminism and are mainly used as the underlying semantics of a process algebra (Strulo 
1993; D'Argenio 1999; Bravetti 2002; Bravetti and D'Argenio 2004; D'Argenio and Katoen 
2005). They also defined a continuous probabilistic variant of the (strong) bisimulation. 
As correctly pointed out in (Cattani 2005; Cattani et al. 2005), these models lack enough 
structure to ensure that bisimilar models share the same observable behavior. (This is due 
to the case in which two objects may be bisimilar but in one of them it is not possible to 
define probabilistic executions since the transition relation is not a measurable object.) The 
solution proposed in (Cattani 2005; Cattani et al. 2005) deals with the same unstructured 
type of models and lift the burden of checking measurability to the semantic tools (such as 
bisimulation or schedulers). In particular, this results in the definition of a bisimulation as 
a relation between measures rather than states. 

A somewhat related observation has been made by Danos et al. (2006) with respect to the 
bisimulation relation on LMPs (Desharnais 1999; Desharnais et al. 2002). Danos et al. (2006) 
show that there are bisimulation relations that may distinguish beyond events. That is, states 
that cannot be separated (i.e., distinguished) by any measurable set (i.e., any event) may 
not be related for some bisimulation relation. This is also awkward as events (measurable 
sets) are the building blocks of observations (probabilistic executions). To overcome this, 
Danos et al. (2006) define the so called event bisimulation (in opposition to the previous 
state bisimulation — name which we will use from now on). An event bisimulation is a sub 
cr-algebra A on the set of states such that the original transition probability functions are 
also Markov kernels on A, i.e., the original LMP is also an LMP over A. A induces an 
equivalence relation 71(A) also called event bisimulation. Fortunately, it turns out that the 
largest state bisimulation is also an event bisimulation. 

In this paper, we follow the LMP approach towards defining a theory of LMP with 
internal nondeterminism. Thus, we introduce nondeterministic labeled Markov processes 
(NLMP). A NLMP has a nondeterministic transition function T a for each label a that, 
given a state, it returns a measurable set of probability measures (rather than only one 
probability measure as in LMPs). Moreover, T a should be measurable. This calls for a 
definition of a cr-algebra on top of Giry's cr-algebra on the set of probability measures 
(Giry 1981), which we also provide. We give a definition for event bisimulation and state 
bisimulation and prove similar properties to (Danos et al. 2006), including that the largest 
state bisimulation is also an event bisimulation. We also provide a definition of "traditional" 
bisimulation that follows the lines of (Strulo 1993; D'Argenio 1999; Bravetti 2002; D'Argenio 
and Katoen 2005) . We prove that a traditional bisimulation is also a state bisimulation and 
give sufficient conditions so that the converse holds. Besides, we show that LMPs are just 
NLMPs without internal nondeterminism and that state (resp. event) bisimulation in the 
different models agree. 

Behavioral equivalences like bisimulation have been characterized using logic with modal- 
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ities, notably the Hennessy-Milner logic (see e.g. van Glabeek 2001). We define an extension 
of the logic presented in the context of LMP (Desharnais 1999). In fact, the logic is similar 
to that of Parma and Segala (2007), which was introduced in a discrete setting. However, 
unlike Parma and Segala (2007), we consider two different formula levels: one that is in- 
terpreted on states, and the other that is interpreted on measures. Such separation gives 
a particular insight: the actual complexity of the model lies exactly on the internal non- 
determinism introduced by the values of T a (which are sets of measures). At state level, 
the logic is as simple as that of Desharnais (1999). We show that this logic completely 
characterizes event bisimulation and, as a consequence, it is sound w.r.t. traditional and 
state bisimulation. 

In addition, we show that a sublogic of the previous logic characterizes all three bisim- 
ulations (event, state and traditional) provided certain restrictions apply, namely, NLMPs 
are image finite and the state space is analytic. Therefore, all bisimulation equivalences as 
well as logical equivalence turn out to be the same on this setting. 

Nonetheless, we also show that they are different in a more general setting. In the last 
part of this article, we present two counterexamples, one showing that traditional bisimula- 
tion is strictly finer that state and event bisimulation and the other that state bisimulation 
is strictly finer than event bisimulation. Both counterexamples turn to be non-probabilistic 
NLMPs — which can be seen as a measure theoretic version of labelled transition systems. 
The first example shows that traditional bisimulation distinguish beyond measurability, and 
the second one, that event bisimulation has some weakness that has to be overcome. 

This article revise and extends our result in (D'Argenio et al. 2009). In particular, Sec. 5, 
is new to this paper. Most importantly, the new counterexamples presented here lead to 
new and different conclusions to that of (D'Argenio et al. 2009). 

2 Fundamentals and Background 

In this section we review some foundational theory and prove few basic results that will be 
of use throughout the paper. 

2.1 Measure theory 

Given a set S and a collection S of subsets of S, we call £ a a-algebra iff S £ £ and 
£ is closed under complement and denumerable union. By o~{G) we denote the a-algebra 
generated by the family Q C I s , i.e., the minimal cr-algebra containing Q . Each element of Q 
is called generator and Q, the set of generators. We call the pair (S, £) a measurable space. 
A measurable set is a set Q £ £. A c-additivc function fx : £ — > [0, 1] such that /i(S) = 1 is 
called probability measure. By 5 a we denote the Dirac probability measure concentrated in 
{a}. Let A(S) denote the set of all probability measures over the measurable space (S, £). 
Let (Si, £2) and (Si, £2) be two measurable spaces. A function / : Si,— » S2 is said to be 
measurable if VQ2 £ £2, /~ 1 (Q2) £ Si, i.e., the inverse function maps measurable sets to 
measurable sets. In this case we denote / : (Si, £2) —> (Si, £2)- 

A function / : Si x £ 2 — > [0, 1] is a transition probability (also called Markov kernel) if 
for all u>i £ Si, /(wi, •) is a probability measure on (S2, £2) and for all Q2 £ £2, /(•, Q2) is 
measurable. 
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There is a standard construction by Giry (1981) to endow A(S) with a er-algebra as 
follows: A(E) is defined as the er-algcbra generated by the sets of probability measures 
A B (Q) = {fi | n{Q) G B}, with Q G S and B 6 S([0,1]). (S([0,1]) is the Borel cr-algebra 
on the interval [0, 1] generated by the open sets.) When < p < 1, we will write A- P (Q), 
A>P(Q), A <P (Q), etc. for A B (Q) with B = [p, 1], (p, 1], [0,p), etc. respectively. It is known 
that the set {A^(Q) | p G (Q n [0, 1]), Q G E} generates all A(S). 

On this setting, / : Si x S 2 [0, 1] is a transition probability if and only if its curried 
version f : Si —> A(S*2) is measurable. (Mind the notation overloading on /.) This follows 
from the next lemma. 

Lemma 2.1. / : Si — » A(S*2) is measurable iff f(-,Q) ■ Si — > [0,1] is measurable for all 
Q G E 2 . 

Proo/. It is routine to calculate that f~ 1 (A B (Q)) = (/(•, Q)) _1 (B) for all Q G E 2 and 
B G £([0,1]). By this observation, f~ 1 (A B (Q)) G Ei iff (/(•, Q))" 1 ^) G E x . Since it 
is sufficient to show that f^ 1 (A B (Q)) G Ei for all generators A B (Q) to state that / is 
measurable, the lemma follows. □ 

An important result on Giry's construction is that the er-algcbra of measures is separative 
(van Brcugcl 2005), i.e., for any two elements, there is always a measurable set that contains 
one clement but not the other. 

Proposition 2.1. A(E) is separative. That is, given different n,p! G A(S), there exists 
G A(E) such that /i £ 9 and // ^ 6. 



2.2 Relations, Measures, and a-algebras 

Given a relation R C 5 x 5, the predicate i?-closed(<5) denotes i?(<5) Q Q. Notice that if 
R is symmetric, i?-closed(Q) if and only if Vs, t : s Rt : s e Q ^ t E Q. Let (S 1 , E) be a 
measurable space. For symmetric R, define E(i?) = {Q G E | i?-closed(Q)}. E(i?) is the 
sub-cr-algebra of E containing all i?-closed E-measurable sets. The next proposition states 
that the inclusion order between two relations transfers inversely to the a-algebras induced 
by them and to Giry's construction applied to these er-algebras. 

Proposition 2.2. Let R and R' be symmetric relations such that R C R' . Then (i) E(i?) D 
E(R') and (ii) A(E(i?)) D A(E(i?')). 

Proof, (i) follows from the fact that any measurable set that is i?'-closcd is also i?-closcd 
whenever R C R'. For (ii), recall that A(E(i?')) is generated by Q = {A B {Q) \ Q G E(i?') 
and B G S([0, 1])}. Since E(i?') C E(i?) (by (i)), then Q C A(E(i?)) from which the lemma 
follows. □ 

We can lift R to an equivalence relation in A(S) as follows: /j,R/j,' iff VQ G E(J?) : /u(Q) = 
p!{Q). Then, the predicate i?-closed can be defined on subsets of A(S) just like before. The 
following proposition will be useful. 

Proposition 2.3. If R is a symmetric relation, every A(E(i?)) -measurable set is R-closed. 
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Proof. Let Q G and B G B([0,1)). Then, if fj, G A S (Q) and /ziJ//, /it' G A B (Q). 

So, each generator A B (Q) of A(£(i?)) is i?-closed. Moreover, for any symmetric i?, the 
property of being i?-closed is preserved by denumerable union and complement. Since the 
lifted R is symmetric, we can conclude that every A(£(i?))-measurable set is i?-closed. □ 

A cr-algebra £ defines an equivalence relation 7£(£) on S as follows: s 1Z(E) t iff VQ G S, 
s e Q t e Q. That is, two elements are related if they cannot be separated by any 
measurable set. The following properties (due to Danos et al. 2006) appear here for the sake 
of completeness; they relate c-algebras and relations. In particular, (v) is a consequence of 
(i) and (ii). 

Proposition 2.4. Let (S, S) be a measurable space, R a symmetric relation on S , and ACS 
a sub-o -algebra o/S. Then, (i) A C S(72.(A)); (ii) R C 1Z(T,(R)); (Hi) if each R-equivalence 
class is m S, then R = 1l(Y,(R)); (m) K{A) = ft(E(ft(A))); and (v) S(i?) = ^(^(^(i?))) 1 . 

2.3 Labeled Markov Processes 

A labeled Markov process (LMP) (Desharnais 1999; Desharnais et al. 2002) is a triple 
(S, S, {r a | a G L}) where S is a cr-algebra on the set of states S, and for each label 
a G L, r a : S x S — > [0, 1] is a transition probability. By Lemma 2.1, we can say that 
(S, S, {r a | a G L}) is an LMP if every t q : 5 — > A(S) is measurable. 

In (Desharnais 1999; Desharnais et al. 2002), a notion of behavioral equivalence similar 
to Larsen and Skou's (1991) probabilistic bisimulation is introduced. 

Definition 2.1. R C S x S is a state bisimulation on LMP (5, E,{r a | a G L}) if it is 

symmetric 2 and for all s,t G S, a G L, s Rt implies that r a (s) R T a (t). 

This definition is pointwise and not "eventwise" as one should expect in a measure- 
theoretic realm, besides R has no measurability restriction. In (Danos et al. 2006) a measure- 
theory aware notion of behavioral equivalence is introduced. 

Definition 2.2. An event bisimulation on a LMP (S, S, {r a | a G L}) is a sub-o -algebra A 
of S s.t. {S, A, {t q | a G £}) is a LMP. 

Danos et al. (2006) show that R is state bisimulation iff S(i?) is an event bisimulation. 
This is an important result that leads to prove that the largest state bisimulation is also an 
event bisimulation (see Theorem 3.4 below). 

3 Nondeterministic Labeled Markov Processes 

In this section we extend the LMP model adding internal nondctcrminism. That is, we 
allow that different but equally labeled transition probabilities leave out the same state. We 
provide event and state bisimulations for this model, show the relation to LMPs and the re- 
lation to earlier definitions of bisimulation on nondeterministic and continuous probabilistic 
transition systems. 

1 Proposition 2.4(v) appears in (Danos et al. 2006) unnecessarily requiring that R is a state bisimulation. 
2 The requirement of symmetry is needed otherwise S(iJ) may not be a cr-algebra. 
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3.1 The model 



There have been several attempts to define nondeterministic continuous probabilistic tran- 
sition systems and all of them are straightforward extensions of (simpler) discrete versions. 
There arc two fundamental differences in our new model. The first one is that the nondeter- 
ministic transition function T a now maps states to measurable sets of probability measures 
rather than arbitrary sets as previous approaches. This is motivated by the fact that later on 
the nondeterminism has to be resolved using schedulers. If we allowed the target set of states 
to be an arbitrary subset, (as some continuous ones D'Argcnio 1999; Bravetti and D'Argcnio 
2004; Cattani et al. 2005), the system as a whole could suffer from non-measurability issues 
and therefore it could not be quantified. (Rigorously speaking, labels should also be pro- 
vided with a a- algebra, but we omit it here since it is not needed.) The second difference is 
inspired by the definition of LMP and Lemma 2.1 (see also the alternative definition of LMP 
above): we ask that, for each label a £ L, T a is a measurable function. One of the reasons 
for this restriction is to have well defined modal operators of a probabilistic Hennessy-Milner 
logic, like in the LMP case. 

Definition 3.1. A nondeterministic labeled Markov process (N LMP for short) is a structure 
(S, S, {T a | a G L}) where £ is a a-algebra on the set of states S, and for each label a G L, 
T a : S — > A(£) is measurable. 

For the requirement that T a is measurable, we need to endow A(E) with a er-algcbra. 
This is a key construction to forthcoming definitions and theorems. 

Definition 3.2. iJ(A(E)) is the minimal a-algebra containing all sets = {O G A(£) | 
en£ ^ 0} with £ G A(£). 

This construction is similar to that of the Effros-Borel spaces (Kechris 1995) and re- 
sembles the so-called hit-and-miss topologies (Naimpally 2003). Note that the generator 
set contains all measurable sets that "hit" the measurable set £. Also observe that 
T~ 1 (ff^) is the set of all states s such that, through label a, "hit" the set of measures £ (i.e., 
T a (s) n£ 7^ 0). This forms the basis to existentially quantify over the nondeterminism, and 
it is fundamental for the behavioral equivalence and the logic. 

The next two examples (inspired by an example in Cattani 2005) show why T a is required 
to map into measurable sets and to be measurable. For these examples we fix the state space 
and cr-algebra in the real unit interval with the standard Borel a-algebra. 

Example 3.1. Let V = {5 q \ q G V}, where V is the non-measurable Vitali set in [0,1]. 
It can be shown that V is not measurable in A(E). Let T a (s) = V for all s G [0, 1]. The 
resolution of the internal nondeterminism by means of so called schedulers ( also adversaries 
or policies) (Vardi 1985; Puterman 1994), whatever its definition is, would require to assign 
probabilities to all possible choices. This amounts to measure the nonmeasurable set T a {s). 
This is why we require that T a maps into measurable sets. 

Example 3.2. Let T a (s) = {/i} for a fixed measure pi, and let T&(s) = if (s G V) then 
{Si} else 0, for every s G [0, 1], with V being a Vitali set. Notice that both T a (s) and ?b(s) 
are measurable sets for every s G [0, 1]. Supposing that there is a scheduler that chooses to 
first do a and then b starting at some state s, the probability of such set of executions cannot 
be measured, as it requires to apply fi to the set T fe _1 (J?^(5)) = V which is not measurable. 
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Besides, we will later need that sets T a 1 {H^) are measurable so that the semantics of the 
logic maps into measurable sets (see Sec. 4). 

3.2 NLMPs as a generalization of LMPs 

Notice that a LMP is a NLMP without internal nondeterminism. That is, a NLMP in which 
T a (s) is a singleton for all a £ L and s £ S, is a LMP. In fact, a LMP can be encoded as 
a NLMP by taking T a (s) = {r a (s)}. (We formally prove this in Proposition 3.1.) As a 
consequence it is necessary that singletons {/x} are measurable in A(E) for the NLMP to be 
well defined. The following lemma gives sufficient conditions to ensure that all singletons 
are measurable in A(S). 

Lemma 3.1. Let Q be a denumerable ir-system on S (i.e., a denumerable subset of 2 
containing S and closed under finite intersection). Then, for all /i £ A(S'), {/x} £ A(a(Q)). 

Proof. It is sufficient to prove that the set 

n{A>*(Q<) | Q t £ g, qi £ Q n [o, i], qi < n{Qi)} n 
n{A <qi (Qi) | Qt £ g,g t £ Qn [0,1], KQi) < 

which is a denumerable intersection, is equal to the singleton {/i}. By construction (U is 
in the intersection. Take /x' s.t. /x ^ /i'. By a classical theorem of extension of a measure 
(Billingsley 1995, Theorem 3.3), there must be a Qi £ such that /x(Qj) ^ /x'(Qj). If 
MQO > v'iQi) then /x' does not belong to the first intersection; if /j(Qj) < /j'(Qi), // does 
not belong to the second one. □ 

In other words, we can guarantee that singletons are measurable in Giry's construction 
if the underlying er-algebra is countably generated. 

Note that Lemma 3.1 gives also sufficient conditions to define NLMPs with finite and 
denumerable nondeterminism. 

Notice also that asking for measurable singletons in A(E) does not trivialize E (in the 
sense that E = 2 s ). A nontrivial example in which Lemma 3.1 holds is the standard Borel a- 
algcbra in R. A less obvious example is as follows. Let the cr-algebra Q-coQ = 2^U{R\Q | 
Q £ 2^}. Notice that Q-coQ cannot separate one irrational from another (let alone asking 
for all singletons being measurable). Nevertheless, as it is generated by the denumerable 
7r-system {{q} \ q £ Q} U {0}, it is under the conditions of Lemma 3.1 and hence for every 
measure fi on it, {fi} is measurable on A(Q-coQ). 

The formal connection between NLMP and LMP is an immediate consequence of the 
next proposition. 

Proposition 3.1. Let T a (s) = {r a (s)} for all s £ S and let E be a cr-algebra on S. Then 
r a : S — > A(iS) is measurable iff T a : S — > A(E) is measurable. 

Proof. Let £ £ A(E). Note that T a (s) £ H ( iff {r a (s)} fl ^ iff r„(s) £ £. Then 
T~ 1 (i?^) = r a f 1 (^). Therefore r a is measurable whenever T a is measurable. For the con- 
verse, we have that T C [ 1 (H^) is measurable for all generators H^. As a consequence T a is 
measurable in general. □ 
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3.3 The bisimulations 



Event bisimulation in NLMP is defined exactly in the same way as for LMP: an event 
bisimulation is a sub-a- algebra that, together with the same set of states and transition of 
the original NLMP, makes a new NLMP. 

Definition 3.3. An event bisimulation on a NLMP (S, E, {T a | a G L}) is a sub-a- algebra 
A o/S s.t. T a : (S, A) — » (A(S), H (A(A))) is measurable for each a E L. 

Notice that T a is the same function from S to A(S) only that, for A to be an event 
bisimulation, it should be measurable from A to H(A(A)). Here, H(A(A)) is the sub-cr- 
algebra of #(A(£)) generated by {iff | £ G A(A)}. 

We extend the notion of event bisimulation to relations. We say that a relation R is an 
event bisimulation if there is an event bisimulation A s.t. R = 1Z(A). More generally, we say 
that two states s,t G S are event bisimilar, denoted by s ~ t, if there is an event bisimulation 
A such that s 7?.(A) t. The fact that ^ is an equivalence relation is an immediate corollary 
of Theorem 4.5 given below. We remark that, by Proposition 3.1, an event bisimulation on 
a LMP is also an event bisimulation on the encoding NLMP and vice- versa. 

The definition of state bisimulation is less standard. Following the original definition 
of Milner (1989) (which was lifted to discrete probabilistic models by Larsen and Skou 
1991), a traditional definition of bisimulation (see Def. 3.5) verifies that, whenever s R t, 
every measure on T a (s) has a corresponding one (modulo R) in T a {t). Rather than looking 
pointwise at probability measures, our definition follows the idea of Def. 3.2 and verifies 
that both T a (s) and T a (i) hit the same measurable sets of measures. 

Definition 3.4. A relation R C S x S is a state bisimulation if it is symmetric and for all 
a e L, s Rt implies V£ E A(S(i?)) : T a (s) D £ ^ & T a (t) n ^ 0. 

The following property, which also holds in LMPs, states the fundamental relation be- 
tween state bisimulation and event bisimulation. 

Lemma 3.2. Provided R is symmetric, R is a state bisimulation iff E(i?) is an event 
bisimulation. 

Proof. By Def. 3.3, S(i?) is an event bisimulation iff T a is £(i?)-measurable. Since T a is S- 
measurable, it suffices to prove that T a " 1 (i/^) is i?-closed for all labels o£i and generators 



H e , £ g A(S(i?)). 



i?-closed(T" 1 (^)) 



iff 



(R is symmetric) 



s R t =► (s G T-\H £ ) & t e T" 1 ^)) 



iff 



(Def. inverse function) 



sRt^ (T a {s) T a (t) E Hz) 



iff 



(Def. of Hz) 



sRt^ (T a {s) n ^ & T a (t) n^0). 



The last statement is the definition of state bisimulation. 



□ 
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The following results are consequences of Proposition 2.4 and, for the case of Lemma 3.3.3, 
Lemma 3.2 and the fact that 7?.(A) is an equivalence relation. The proofs are the same as 
the proofs of similar results for LMP in (Danos ct al. 2006). 

Lemma 3.3. Let R be a state bisimulation. Then: 

1. R is an event bisimulation iff R = 1Z(T,(R)). 

2. If the equivalence classes of R are in E, R is an event bisimulation. 

3. 7?.(E(i?)) is both a state bisimulation and an event bisimulation. 

Let ^ s = | i? is a state bisimulation}. In the following we show that ~ s is also a 

state bisimulation and hence the largest one. Moreover, we show that ~ s is also an event 
bisimulation and, as a consequence, an equivalence relation. 

Theorem 3.4. ^ s is (i) the largest state bisimulation, (ii) an event bisimulation (and hence 
^ s C ~ e Jj ond (Hi) an equivalence relation. 

Proof, (i) Take s,t G S s.t. s ~ s t. Then there is a state bisimulation R with s R t. Take 
a measurable set £ G A(E(~ S )). Since R C~ s , by Proposition 2.2, A(E(i?)) 2 A(E(~ S )). 
Hence £ G A(E(i?)) and by Def. 3.4, T a (s) (1 £ ^ T a (t) n £ ^ which prove that ~ s 
is a state bisimulation. By definition, it is the largest one. 

(ii) Because ^ s is a state bisimulation, 7£(E(~ S )) is a state bisimulation and an event 
bisimulation (Lemma 3.3.3). Since ^ s is the largest bisimulation then 7?.(E(~ 8 )) and 
hence it is an event bisimulation. 

(iii) By definition, every event bisimulation is an equivalence relation. □ 
3.4 A traditional view to bisimulation 

We have already stated that our definition of state bisimulation differs from a more tradi- 
tional view such as those in (Strulo 1993; D'Argenio 1999; Bravetti 2002; D'Argenio and 
Katoen 2005; Bravetti and D'Argenio 2004). These definitions closely resemble Larsen and 
Skou's (1991) definition. (The only difference is that two measures are considered equivalent 
if they agree in every measurable union of equivalence classes induced by the relation.) In 
the following, we give a more "modern" variant of this definition. 

Definition 3.5. A relation R is a traditional bisimulation if it is symmetric and for all 
a G L, s Rt implies T a (s) R T a (t). We say that s,t G S are traditionally bisimilar, denoted 
by s ~t t> if there is an traditional bisimulation R such that s Rt. 

Note that R is lifted this time to sets as is usual: T a (s) R T a (t) if for all \i G T a (s), there 
is /i' G T a (t) s.t. [iR/i' and vice- versa. (Had we explicitly written this definition on Def. 3.5, 
it would have resembled traditional definitions.) 

The proof of the next proposition follows the standard strategy of the classic bisimu- 
lation (see Milner 1989). Apart from the probabilistic treatment, it only differs in that 
the composition R o R' is granted to be traditional bisimulation if R and R' are reflexive 
traditional bisimulations. (If one of R or R' is not reflexive, Ro R' may not be a traditional 
bisimulation.) 

Proposition 3.2. ~ t is a traditional bisimulation and an equivalence relation. 
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In the following we discuss the relation between state bisimulation and traditional bisim- 
ulation. Lemma 3.5 states that every traditional bisimulation is a state bisimulation. The- 
orems 3.6 and 3.7 give sufficient conditions to strengthen Lemma 3.5 so that the converse 
also holds. 

Lemma 3.5. If R is a traditional bisimulation, then R is a state bisimulation. 

Proof. Let s Rt and £ G A(£(i?)). If T a (s) n £ ^ 0, then there is /jt G T a (s) s.t. 
Since R is a traditional bisimulation, T a (s) R T a (t), i.e., there is // G T a (t) s.t. fxR/j,'. By 
Proposition 2.3 i?-closed(£), so fi' G £, and hence T (t) fl ^ as required. The other 
implication follows by symmetry. □ 

In the following we give two sufficient conditions so that a state bisimulation is also a 
traditional bisimulation. The first condition focuses on the NLMP. It requires the NLMP 
to be image denumerable. 

Definition 3.6. A NLMP (S, S, {T a | a G L}) is image denumerable iff for alia G L,s G S\ 
T Q (s) is denumerable. 

Theorem 3.6. Let (S 1 , S, {T a | a G L}) be an image denumerable NLMP. Then R is a 
traditional bisimulation iff it is a state bisimulation. 

Proof. The left-to-right implication is Lemma 3.5. For the other implication we proceed as 
follows. 

Let s R t and for all £ G A (£(#)), T a (s) D £ ^ <^ T a (t) n £ ^ 0. Suppose towards 
a contradiction that T a (s) $ T a (t), i.e. 3/i G T a (s),V/i< G T a (i) : 3Q t G E(i?) : //(Q;) XI; 
Li'iiQi), where Mi G {>,<} and i G N (the NLMP is image denumerable). By density 
of the rationals, there are {qi\i C Qn [0,1] such that n(Qi) txij qi Mi ^[(Qi). Then 
H G A Mi9i (Qj) ^ /x^. Let £ = niA^* 9 * (Qi). This set is measurable, moreover, since every 
Qi G so £ G A(E(i?)). Then fi G T (s) n£, but T a (t) n£ = hence contradicting the 

assumption. □ 

After reading the proof, it should be clear that we can relax the sufficient condition to 
require that the partition T a (s)/R is denumerable for each state s and label a instead of 
image dcnumcrability. 

Observe that a state bisimulation on a LMP is a traditional bisimulation on the encoding 
NLMP and vice- versa since {r Q (s)} = T a (s) R T a (t) = {r a (t)} iff r a (s) R r (t). As a 
consequence of Lemma 3.5 and Theorem 3.6 (a deterministic NLMP is image denumerable!), 
we conclude that a state bisimulation on a LMP is a state bisimulation on the encoding 
NLMP and vice-versa. 

The second sufficient condition looks at the er-algebra S(i?) induced by the state bisim- 
ulation R. It turns out that if E(i?) is generated by a denumerable 7r-system, R is also a 
traditional bisimulation. 

Theorem 3.7. Let R be a symmetric relation such that T,(R) is generated by a denumerable 
set Q . Then R is a traditional bisimulation iff it is a state bisimulation. 
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Proof. As before, the left-to-right implication is Lemma 3.5. For the other implication we 
proceed as follows. Suppose towards a contradiction that s R t and T a (s) R T a (t), i.e. 
3/i G T a {s),\/n' E T (i) : fi ft fi'. By (Billingsley 1995, Theorem 3.3), this implies that 
there exists Qi E tt(£?) s.t. fJ,(Qi) ^ n'{Qi) with i £ N. (Notice that tt(Q), the 7r-system 
generated by Q, is also denumerable and generates E(i?).) The rest of the proof is as in 
Theorem 3.6. □ 



4 A Logic for Bisimulation on NLMP 

The logic we present below is based on the logic given by Parma and Segala (2007). The 
main difference is that we consider two kinds of formulas: one that is interpreted on states, 
and another that is interpreted on measures. The syntax is as follows, 

Lp = T \ tpi Atp 2 \ (a)V> 

^ = Vie/V'i I ~*l> I [<f]>g 

where a E L, I is a denumerable index set, and q E Q fl [0, 1]. We denote by £ the set of all 
formulas generated by the first production and by £a the set of all formulas generated by 
the second production. 

The semantics is defined with respect to a NLMP (S, E, T). Formulas in £ are interpreted 
as sets of states in which they become true, and formulas in £a are interpreted as sets of 
measures on the state space as follows, 

[T]=5 IV, ef *l=U,W 

biAc/> 2 | = bi]n^ 2 ] K-J = M C 

\{am=T-\H m ) IM>J=A^(M) 

In particular, notice that (ajtp is valid in a state s whenever there is some measure fj. E T a (s) 
that makes ip valid, and that [tp]>q is valid in a measure y, whenever /x([y>I) > q- As a conse- 
quence, we need that sets \ip\ and \tj)\ are measurable in S and A(E), respectively. Indeed, 
this follows straightforwardly by induction on the construction of the formula after observ- 
ing that all operations involved in the definition of the semantics preserve measurability (in 
particular T a is a measurable function). For the rest of the section, fix [£] = {[[(pj | <p E £} 
and [£ A J = {M | $ E La}- 

We particularly notice that some other operators can be encoded as syntactic sugar. 
For instance, we can define [<p]> r = V 9 eQn[o i]/\q>r\ l fi]>q f° r an Y rca l r € [0, 1] , and 
[tp] < r = -%>] >T - 

We show that C characterizes event bisimulation. This is an immediate consequence of 
the fact that c ([£]), the cr-algebra generated by the logic £, is the smallest event bisimula- 
tion, which is what we aim to prove in this part of the section. The proof strategy resembles 
that of (Danos et al. 2006, Sec. 5) but it is properly tailored to our two level logic. Moreover, 
such a separation allowed us to find an alternative to Dynkin's Theorem (used in Danos 
et al. 2006). 

We extend the definition of A(C) to any arbitrary set C C E by taking A(C) to be the 
cr-algebra generated by A- P (Q) with Q E C and p E [0, 1]. From now on we write cr(C), 
A(£) and TZ{C) instead of ([£]), A ([[£]) and ft([£]), respectively. 
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The concept of stable family of measurable sets is crucial to the proof of Theorem 4.5. 



Definition 4.1. Given a NLMP (S, E, T), the family C C E is stable /or (S, E, T) if for all 
a E L and £ G A(C), T~ X (H{) G C. 

Notice that C is an event bisimulation iff it is a stable cr-algebra. 

The key point of the proof is to show that [£] is the smallest stable 7r-systcm. which is 
stated in Lemma 4.2. The next lemma is auxiliary to Lemma 4.2. 

Lemma 4.1. [£ A ] = A(£) 

Proof. [£ A ] is a cr-algcbra since: (%) A(5) = [[T]>i] G [£ A ]; (U) for & G [£ A ] there 
are i> l G £ A s.t. & = [^ f ], and hence (Ji& = UiM = IVW^l G I^aJ; and (mj for 
i G [£ A ] there is ip G £ A s.t. £ = and hence <f = [?/>] c = G I^aJ- Moreover, 

since [[<£>]> p ] = A- P ([c/?]), every generator set of A(£) is in [£ A J and hence A(£) C [£ A ]. 

Finally, it can be proven by induction on the depth of the formula that [£ A ] C C for any 
cr-algebra C containing all sets [[y]>pj = A- p ([</jJ) for p G [0, 1] and ip G £. Then [£ A J is 
the smallest cr-algebra containing all generator sets of A(£). Therefore J£ A ] = A(£). □ 

Lemma 4.2. [£] is the smallest stable n-system for (S, E,T). 

Proof. [£] is a 7r-system since: (i) S = \J\ G [£J and (ii) for Qi,Q2 G [£] there are 
<Pi,<P2 G £s.t. Qi = {ipij andQ 2 = [^2], and hence QinQ 2 = [^i]n[</J 2 J = [<PiA<p 2 ] G [£]. 

For stability, let £ G A(£). By Lemma 4.1, there is i\) G £ A s.t. [V>] = £. Then 
T-\Hs) = T-\H m ) = I(a)Vl G [£]• 

Let C be another stable 7r-system for (S, E, T). By induction in the depth of the formula 
we show simultaneously that C 2 [£J and A(C) D A(£). First notice that [TJ = 5 G C since 
C is a 7r-system. Now, suppose inductively that ftp}, {(fij, [^l G C and [i/>J, [i/^J G A(C) 
for i > 0. Then: (%) [</?i A </3 2 ] = [<Pi] H [(/7a] G C, because C is a 7r-system; (ii) [(a)V'J = 
^(^m) G C, because C is stable; (ivi) JV ieJ fa] = U,M G A(C) and (z«j [^J = G 
A(C) because A(C) is a cr- algebra; and finally, (v) l[ip)> p j = A^ p ([cp]) G A(C) by definition 
of generator set of A(C). □ 

Lemma 4.3 is auxiliary to Lemma 4.4. It is also significantly simpler than its relative in 
(Danos et al. 2006, Lemma 5.4). This is due to our definition of stability and the use of a 
powerful result of Viglizzo (2005). 

Lemma 4.3. If C is a stable ir -system for E,T) , then o~(C) is also stable. 

Proof. First notice that C is stable iff {T' 1 ^) | a G L,£ G A(C)} C C. By (Viglizzo 2005, 
Lemma 3.6), A(C) = A(cr(C)). Then {T" 1 ^) | a G L,£ G A(er(C))} C C C <r(C), which 
proves that cr(C) is stable. □ 

The next lemma is central to the proof that £ characterizes event bisimulation, which is 
then presented in Theorem 4.5. 

Lemma 4.4. er(£) is the smallest stable a-algebra included in E. 
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Proof. Let T be the smallest stable cr-algebra included in E. By Lemma 4.2, [£] C J 7 , since 
J 7 is a stable 7r-system. Therefore cr(C) C J 7 since J 7 is also a c- algebra. For the other 
inclusion, notice that [£J is a stable 7r-system because of Lemma 4.2. By Lemma 4.3, <r(£) 
is stable, therefore it contains J 7 . □ 

Theorem 4.5. 37ie logic £ completely characterizes event bisimulation. In other words, 
K(C) = ~ c 

Proof. Lemma 4.4 establishes that cr(£) is stable, i.e. it is an event bisimulation. Being the 
smallest, it implies that any other event bisimulation preserves £ formulas. □ 

A consequence of this theorem together with Theorem 3.4 and Lemma 3.5 is that both 
traditional and state bisimulation are sound for £, i.e., they preserve the validity of formulas. 

Theorem 4.6. ~ t Q ~ s Q ~c = U{C). 

4.1 Completeness on image finite NLMPs 

The rest of the section is devoted to show that the logic completely characterizes (all three) 
bisimulation on NLMPs with image finite nondeterminism and standing on analytic spaces. 
In fact, we show completeness of the sublogic of £ defined by: 

<p = T | tp x A Lp 2 | (a)[x i(?i <Pi]"=i 

where Mj G {>, <} and qi G Q R [0, 1]. We define the new modal operation as a short- 
hand notation: (a)[[xi i q i l Pi\i = i = ( a ) A™=i Mm;^ • Therefore, its semantics is given by 
[(d)[Mi ( ?i < ^i]i 1 =il = ^oT 1 (^n7_ 1 A M i9i([ Vi ]))- Let £f C £ denote the set of all formulas de- 
fined with the grammar above. Notice that £f is a denumerable set whenever the set of 
labels L is denumerable. 

The expression {o)[^ iqi ^Pi\l = i is like a conjunction of formulas (&)ix iSi <^j, but the proba- 
bilistic bounds must be satisfied by the same nondeterministic transition. Modality (aj^qip 
suffices to characterize bisimulation on LMP (Dcsharnais et al. 2002) but, as we see in the 
next example that originates in (Celayes 2006), it is not enough for the more general setting 
of NLMPs. 

Example 4.1. Take the discrete NLMPs depicted in Fig. 1. States s andt are not bisimilar 
since given a fi G T a (s), there is no fx' G T a {t) such that /i(Q) = fJ-'(Q) for all Q G 
{{x}, {y}, {z}} (which are the only relevant possible R-closed sets). A logic having a modality 
that can only describe one behavior after a label will not be able to distinguish between s 
and t. For example, \{a)>q<f\ = {w \ T a (w) H A >9 ([iy9]) ^ 0} will always have s and t 
together. Observe that negation, denumerable conjunction or disjunction, do not add any 
distinguishing power (on an image finite setting). 

The essential need for this new modal operator also shows that our cr-algebra iJ(A(E)) 
in Def. 3.2 can not be simplified to cr({i7A s (Q) : B G B([0, l]),Q G S}). States s and t in 
the example above should be observationally distinguished from each other. Formally, this 
amounts to say that there must be some label a and some measurable 9 such that T~ 1 (G) 
separates {s} from {t}. Therefore, the same must be true for some generator O, but this 
does not hold for the family {H A b^ : B G B([0, 1]), Q G £}. 
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Figure 1: s and £ are not bisimilar 



Logical characterization of bisimulation is succinctly stated as s ^ s t s 1Z(£{) t 
(similarly for ~ t ). The left-to-right implication is immediate by Theorem 4.6. For the 
converse, we restrict the state space and the branching. 

The strategy is to prove that 1Z(£f) is a traditional bisimulation, that is, s lZ(£f) t 
implies that G T a (s),3/i' G T a (t),fj, TZ(£f) (J, 1 ; recall this means fJ,(Q) = n'(Q) for 
all Q G H(H(£f)). For analytic spaces this holds if it is valid for the restricted set of 
Q G 2}(1Z(£f)) such that Q = [<p], for some <p G £{. We first introduce analytic spaces and 
a result from descriptive set theory that is fundamental for the proof. 

Definition 4.2. A topological space is Polish if it is separable (i.e. it contains a countable 
dense subset) and completely metrizable. A topological space is analytic if it is the continuous 
image of a Polish space. A measurable space is analytic (standard) Borel if it is isomorphic 
to (X,o~(T)) where T is an analytic (Polish) topology on X. 

Every standard Borel space is analytic, but the converse is false. The real line with 
the usual Borel cr-algcbra, and more generally, A N with A a countable discrete space, are 
standard Borel and therefore, analytic. 

The next theorem from (Desharnais and Panangadcn 2003) essentially shows that in 
analytic Borel spaces, the i?-closed measurable sets are well-behaved when the relation R is 
defined in terms of a sequence of measurable sets. 

Theorem 4.7. Let (S 1 , S) be an analytic Borel space. Let J- C £ be countable and assume 
S G T. Then Z{K(T)) = a(T). 

The following lemma provides a general framework to prove that a logic characterizes 
bisimulation. In fact it has been used to prove that less expressive logics characterize 
traditional bisimulation in some restricted NLMPs (Celayes 2006). 

Lemma 4.8. Let (5 1 , S, T) be a NLMP with < S, E) being an analytic Borel space. Let £ be 
a logic s.t. (i) £ contains operators T and A with the usual semantics; (ii) for every formula 
tp G £, [93] is E- measurable; (Hi) the set of all formulas in £ is denumerable; and (iv) for 
every s 7£(£) t and every /i G T a (s) there exists p! G T a (t) such that \/ip G £, /i([</?]) = 
//([</>]). Then, two logically equivalent states s,t are traditionally bisimilar. 

Proof. Let T = {\ip\ \ (p G £}. Because of (i), [T] = S and J^] n [^2] = fo>i A ip 2 j. 
Hence T forms a 7r-system. Because of (iv), /i,// agree in T and, by (Billingsley 1995, 
Theorem 3.3), they also agree in cr{F). Notice that hypotheses of Theorem 4.7 are met, i.e., 
E is analytic, T C E is countable (by (ii) and (Hi)) such that S G T (by (%)), and H(£) 



14 



equals TZ(F). Therefore, by Theorem 4.7, cr(J-) = S(72.(£)), which implies that /i and \J 
agree in E(7£(£)). Since 7?.(£) is symmetric, H(£) is a traditional bisimulation. □ 

Notice that Lemma 4.8 holds for any logic fulfilling the hypothesis, in particular it should 
encode the transfer property of the bisimulation and may not contain negation. We already 
know that C{ has operators T and A, is dcnumerable, and that each formula is interpreted 
in a E-measurablc set. In the following, we show that the transfer property can be encoded 
by using the modality. 

Lemma 4.9. Let (S, E, T) be an image finite NLMP (i.e. T a (s) is finite for all a G L,s G S). 
Then for every pair of states such that s IZ(Cf) t and fi G T a (s), there is a fjf G T a (t) such 
that V^e£ f) M(H)=//(M). 

Proof. Suppose towards a contradiction that there are s, t with s IZ(Cf) t and there is a n G 
T Q (s), such that for all G T a (t) there is a formula <pi G Cf with ^ Mi([¥>»l)- Since 

T a (t) is finite, there are at most n different We can choose M, G {>,<}, q t G Q n [0, 1] 
accordingly to make n(l<Pij) M, q l Xlj M< ([¥>»!)• Take = (a)[[xi igi ^]™ = i- Then s G but 
t [■01 contradicting s IZ(Cf) t. □ 

So, finally, we can state the following theorem. 

Theorem 4.10. Let (S, E,T) 6e an image finite NLMP with (S, E) kmj analytic. For all 
S,t € S, 

s ~ t t <^> s ~ s i ^> s ~ e t <^> s 7?.(£ f ) i 

Proof, s ~ t t => s~ s i => s~ c t ^ s 7?.(£) i (by Theorem 4.6) s 7?.(£f) t (because 
£fC£) s ~ t t (by Lemmas 4.8 and 4.9). □ 

5 Non-probabilistic NLMPs and Counterexamples 

The purpose of this section is to construct counterexamples over standard Borel spaces 
witnessing that all our notions of bisimilarity are different in the case of uncountable nonde- 
tcrminism. Moreover, it suffices to consider a non-probabilistic variant of NLMP, in which 
transitions only map into a set of Dirac measures. These structures looks very much like 
LTSs, the only exception being that the state space has a cr-algebra attached. 

Somehow, the type of counterexamples — non-probabilistic NLMPs over standard Borel 
spaces with uncountable branching — shows that our Theorems 3.6 and 3.7 are the best 
possible, even if we assume that our state space is the Borel space of the real numbers. 

5.1 The subspace of Dirac measures 

Since the counterexample NLMPs only run on Dirac measures over standard Borel spaces, 
we focus first on understanding these objects. 

Let (S, E) be a measurable space. We call S(P) — {8 S : s G P} for each PCS. The set 
S(S) inherits the measurable structure from A(S*) by restriction: its cr-algebra is 

A(£) \S(S) = {£H 5(S) :£GA(£)}. 
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Notice that the elements of A(E)|(5(5) are not necessarily measurable sets in (A(5), A(E)). 
However it is indeed the case if E is Borel standard. This is stated in the following propo- 
sition. 

Proposition 5.1. 1. The map s <-> 5 S is a measurable embedding between 5 and A(5), i.e., 
the function (5(.) is a bisection between 5 and its image (5(5) s.t. both <5(.) and 57^ are 
measurable. 

2. If (5, E) is a standard Borel space, <5(5) belongs to A(E), i.e., it is a measurable set and 
hence A(E)|(5(5) C A(E). 

3. If (5, E) is standard and ICS, S(X) is measurable if and only if X is measurable. 

Proof. It is clear that <5 is injective. To show it is an embedding amounts to prove that 
A(E)|(5(5) = {S(Q) : Q g E}. First observe that A(E) is the smallest family that contains 
Q = {A <q (Q), (A(5) \ A <9 (Q)) : q g Q, Q g E} and is closed under countable intersections 
and unions. We first show that for every £ g Q, £ n S(S) is of the form S(Q): 

!0 q < 

S(S\Q) 0<q<l 
S(S) q>l. 

(6(S) q<0 

{A(S)\A<«(Q))n6(S) = h(Q) 0<q<l 

{0 q>l. 

Incidentally, this also proves A(E)|5(S I ) 3 {o~(Q) ■ Q g E}. Assume n (5(5*) is of the form 
S(Qi) with Qj g E for every i. Then 

(UeO ns(S) = Ui&nsw = = *(U0*) 

Since E is a cr-algebra, ((Ji^i) I" 1 i s °f the form S(Q). The same works for countable 
intersections, and we have the other inclusion. 

If S is standard then A(S) is standard by (Kechris 1995, Theorem 17.23, 17.24). Since 
s i y S s is injective, 2 follows from (Kechris 1995, Corollary 15. 2). 3 

By 1 we have that for X C S, 5(X) is (A(E)|J(S'))-measurable if and only if X is 
measurable. By using 2, we can state that S(X) is A(E)-measurable if and only if X is 
measurable. □ 

5.2 Non-probabilistic NLMPs 

We call a NLMP S = (S, E, {T a : a g L}) non-probabilistic if for all a G L and s g S, 
T a {s) C <5(5). A non-probabilistic NLMP is essentially a labelled transition system (LTS) 
over a measurable space. However, as we will see, our notions of bisimulation differ from 
the classical notion for LTS. 

3 Alternatively, (S, S) is isomorphic to ([0, 1], B([0, 1])) and the functor A can be defined in the category 
of Polish spaces and continuous functions. It is not hard to show that 8 is a continuous embedding. Hence 
<5([0, 1]) is compact in A([0, 1]) and a fortiori measurable. 
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We will write (a)Q for {s : T a (s) H S(Q) ^ 0}. The interpretation of this is clear: (a)Q 
are the states from which we can reach Q after an a-action. 

Lemmas 5.2, 5.3, and 5.4 give the formulation of event, state, and traditional bisimulation 
in the setting of non-probabilistic NLMPs over standard Borel spaces. Lemma 5.1 below, is 
the basis of the proof of Lemma 5.2 and is also used on the proof of our counterexamples. 

Lemma 5.1. Assume (S, E) is standard and A C E is a sub-a -algebra. Let T a : S — > A(E) 
with T a (s) C S(S) for all s E S. Then T a is (A, H(A(A))) -measurable if and only if for all 
Q E A, (a)Q 6 A (i.e., A is stable under the mapping (a)-). 

Proof. (=S-) Let Q e A and take £ = (A(S) \ A <1 (Q)) 6 A(A). Then (a)Q = {s : T a {s) n 
<J(Q) ^ 0} = {s : T a (s) n 5(5) n £ ^ 0} = T- 1 ^) G A. 

O) Let £ G A(A). By Proposition 5.1(1), A(A)|<5(5) = {5(Q) : Q G A}, and hence 
£ n 6{S) = S(Q) for some Q G A. Then T" 1 ^) = {s : T a (s) n (5(Q) ^ 0} = (a)Q G A. □ 

Throughout the rest of this section we will assume that S = (S, E, {T a : a G L}) is a 
non-probabilistic NLMP over a standard Borel space. The next lemma is a corollary of 
Lemma 5.1. 

Lemma 5.2. A a-algebra A C E is an event bisimulation on S if and only if it is stable 
under the mapping (a)-. 

Lemma 5.3. A symmetric relation R is a state bisimulation on S if and only if for all 
s,t G S such that sRt, it holds that for all Q G E(i?) 7 s G (a)Q «t e (a)Q. 

Proof. (=*►) Let s R t and Q G £(i?). Observe that A^ 1 (Q) G A(£(i?)) and A^ 1 (<3)n<5(5) = 
5(g). Then s G (a)Q <S> T(s) n A^ X (Q) ^ 4 n A- 1 (Q) ^0«t£ (o)Q. In * we 
use the fact that R is a state bisimulation. 

(<«=) Let s Rt and £ G A(E(i?)). Let Q such that <J(Q) = S(S) n £. Then T„(s) n £ = 
T (s) n (5(g) and hence T a (s)n^0^.5£ (a)Q. Similarly, T a (t) H £ ^ 4^ t G (a)Q. If 
Q G £(i?), then s G (a)Q «fe (a)Q by hypothesis. 

We show that indeed Q G E(iZ). Since £ G A(£(i?)), by Proposition 5.1(2) and (3), 
Q 6 S. It only remains to show that Q is i?-closed. So, let x R y and x G Q\ hence S x G £. 
But, for any X G E(i?) and g G [0, 1], 4 G A- g (AT) 0ieI«|,eX«ije A^X). 
Since (5 K and S y cannot be separated by any generator set of A(E(i?)), they cannot be 
separated by a set in A (E(i?)) so 8 y G £ and hence y G Q. □ 

Lemma 5.4. A symmetric relation R is a traditional bisimulation on S if and only if for 
all s,t G S and S u G T a (s), if s Rt then there exists S v G T a (t) such that u 1Z(E(R)) v. 

Proof. Assume s Rt. Then T a (s) RT a (t) if and only if for every /i G T a (s) there exists 
v G T a (t) such that [iRv. But since S is non-probabilistic, fx = S u , and v = S v for some 
u,v G S. Now S u RS V means that for every Q G E(i?), S U (Q) = S V (Q), and this is equivalent 
to VQ G E(i?) : u E Q O v E Q. The last assertion is it 7£(E(i?)) u. □ 

After the last lemma it should be easy to note that this "measurable" notion of bisimu- 
lation is weaker than the standard one for LTS of Milner (1989). 
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5.3 Traditional Bisimilarity ^ Event-, State- Bisimilarity. 

Consider the standard Borel space (Si , Si ) = ( [0 , 1] U [2 , 3] U{ s , t , x} , B ( [0 , 1] U [2 , 3] U { s , t , x } ) ) 
where {s, t, x} C K\[0, 3]. Let V a non-Borel subset of [2.5, 3]. Clearly, [0, 1] is equinumerous 
with [2, 3] \ V; pick a bijection / between them. Now, let Li = {a} U [0, 1] be the set of 
labels and let Si = (Si, Si, {T a : a G Li}) where 

T a (s)=S([2,3}) 
T a (t) = 6([0,l}) 

T r (r)=T r (f(r)) = {5 x } if r 6 [0, 1] 

T c (y) = otherwise. 

Now, take T to be {{s, t}, {x}, {r, f (r)} r e[o,i]} an d R =TZ(a(T)). 

Lemma 5.5. Si is a non-probabilistic NLMP, <j(J-) is an event bisimulation and R is a 
state bisimulation. 

Proof. First, notice that for all c, y, T c (y) 6 A(Si) by Proposition 5.1(3). The proof that 
T c is a measurable map for each c G L\ is routine. 

We check that a(J-) is an event bisimulation. Observe first that for all Q £ cr(J r ), (a)Q 
is empty or equal to {s,t} e cr(J r ), and hence cr(F) is stable under T a by Lemma 5.1. For 
< r < 1, (r)Q ^ if and only if x € Q, and in that case 

(r)Q = {r,f(r)}ea(T). (1) 

Now, we show that R is a state bisimulation. By way of contradiction, using Lemma 5.3, 
assume that there exists Q 6 Si(i2), c£Lj and z,y G Si such that zRy and 2 G (c)Q but 
y ^ (c)Q. Hence (c)Q must not be i?-closed. By the preceding calculation (1), for < r < 1 
and every Q G Si, (r)Q is i?-closed. Then, it should be the case that (a)Q is not i?-closcd. 
Observe that the only i?-closed sets Q C Si such that (a)Q is not i?-closed are of the form 
A\J V where A G {0, {s, t, x}, {s, t}, {x}}. This set Q is non-measurable since V was chosen 
to be not measurable. But then Q is not in Si(i£), an absurdity. □ 

Theorem 5.6. State bisimilarity (resp. event bisimilarity) and traditional bisimilarity differ 
in Si . 

Proof. Because of Lemma 5.5, it sufficies to show that s and t are not traditionally bisimilar. 

It is easy to see that for < r < 1, r 7^ y if y ^ { r if( r )}'- we have T r (r) nonempty 
but T r (y) = 0. Therefore {r, f(r)} is ~ t -closed for every < r < 1 and hence {r, f(r)} G 

SiK). 

By way of contradiction, now assume s ~ t t. Let y G V . Since S y G T a (s), by Lemma 5.4, 
there must exist some < r < 1 such that y 7£(Si(~ t )) r. But y > 1 and is not in the 
image of /, hence the set {r,f(r)} G Si(~t) separates y from r. This contradicts the fact 
that yft(Ei(~ t )) r. 

Since ^ s C ~ G , event bisimilarity and traditional bisimilarity also differ in Si. □ 
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5.4 State Bisimilarity ^ Event Bisimilarity 



In this last section, we prove that the greatest event bisimulation ^ c is not contained in 
~ s . We do this by slightly modifying Si. We now take V to be the interval (2.5,3] and let 
(52, £2) = (Si, Si). We complete the construction of a non-probabilistic NLMP by picking 
any bijection / between [0, 1] and [2, 2.5]. The transition is defined just like for Si only that 
using the the new /. We also use family T but defined with the new /. 

Lemma 5.7. V £ a(J'). 

Proof. It is clear that every member of cr(J-) is countable or has a countable complement, 
from which the lemma follows. □ 

The proof of Lemma 5.5 works equally fine for the following lemma. 

Lemma 5.8. S2 = (52,S2,{T a : a G L\}) is a non-probabilistic NLMP and o~(!F) is an 
event bisimulation. 

In this case, relation R = Ti(a(^F)) is an event bisimulation that it is not a state bisim- 
ulation. 

Theorem 5.9. Event and state bisimilarity differ in S2. 

Proof. Since (s, t) G R C ~ e , we just have to show that s <^ s t. Observe that V G S2(i?). If 
s and t were state-bisimilar, by Lemma 5.3, it would be the case that s G (a)V iff t G (a)V. 
But this is absurd since S 3 G T a {s) n S(V) and T a (t) n 8(V) = 0. □ 



6 Concluding remarks 

In order to define a process theory that permits the verification of compositionally modeled 
systems against simple (may be nondeterministic) specifications, it is necessary to have at 
hand a semantic relation that allows for abstraction such as weak bisimulation. In this 
setting, internal nondeterminism is crucial. 

In this paper we introduced the model of nondeterministic labeled Markov processes that 
allows for the modeling of continuous probabilistic systems with internal nondeterminism. 
Contrarily to similar models (D'Argenio 1999; Bravetti 2002; Bravetti and D'Argenio 2004; 
D'Argcnio and Katoen 2005; Cattani 2005), NLMPs are defined to have a measure theoretic 
structure. In particular, wc require that the transition relation is a measurable function 
that maps on measurable sets. This was devised so that it is possible to build the rest of 
the theory (particularly event bisimulation and logic, but also schedulers are definable). We 
have shown that NLMPs extend naturally LMPs. For the definition of the transition and 
the development of the whole work, Def. 3.2 is crucial, as it provides the foundation for 
dealing with nondeterminism. 

As a first step towards the desired process theory, we gave different definitions of bisim- 
ulations. We proposed three possible generalizations of the two bisimulations on LMPs. 
The event bisimulation responds exactly to the same definition principle both in LMP and 
NLMP. Instead, the state bisimulation in LMPs generalizes to NLMPs as state bisimulation 
and as traditional bisimulation. We know that traditional bisimulation is finer than state 
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bisimulation and, in Theorems 3.6 and 3.7, we gave sufficient conditions under which they 
agree. 

We also gave a logical characterization of event bisimulation (Theorem 4.5). Such logic 
(£) can be seen as a revision of the one introduced by Parma and Segala (2007) in a discrete 
probabilistic setting. Formulas in our setting belong to two different classes: state formulas 
and measure formulas. Notice that negation and infinitary (but denumerable) disjunction 
(or conjunction) is only present on the second class, meaning that the complexity of the 
model lies precisely on the internal nondeterminism. 

A consequence of the characterization is that the logic is sound for state and traditional 
bisimulations (Theorem 4.6). For the restricted case of image finite NLMPs running on 
analytic Borel spaces, all equivalences coincide (Theorem 4.10). Notice that the logic we 
used to show such equivalence is in fact a sublogic of C which has already appeared in a 
preliminary work (Celayes 2006). 

The coincidence among all equivalence does not generalise to arbitrary NLMPs as we have 
shown in Theorems 5.6 and 5.9. Observe that the counterxamples presented in these theo- 
rems are non-probabilistic NLMPs over standard Borel spaces with uncountable branching. 
Somehow, this shows that Theorems 3.6 and 3.7 are the best possible to equate traditional 
and state bisimulation, even if we assume that the state space is the Borel space of the 
real numbers. Though we did not present a theorem, we mentioned a third important dif- 
ference on these "measure-theoretic" LTSs: in the general case, Park-Milner's bisimulation 
is strictly finer than traditional bisimulation. The last one considers the measure space of 
the state space, while the first one does not (or, alternatively, it only considers the discrete 
cr-algebra 2 s ). 

Some additional observations on the counterexamples are in order. First, counterexample 
Si in Theorem 5.6 relies on the fact that state bisimulation cannot distinguish a non- 
measurable set V while traditional bisimulation can. In our point of view, such distinction 
should not be possible since V has no measure. Second, counterexample S2 in Theorem 5.9 
makes a difference on measurable set V that the event bisimulation cannot distinguish. In 
our opinion, such distinction should be observed since a possible scheduler may lead to such 
set of states with certain probability. Notice that in this example, states in V do not allow 
the system to reach state x from s, while x can always be reached from t. In this sense, we 
argue that state bisimulation is the most appropriate definition. 

Somehow, this is dissapointing since logic C has a natural definition but, as it completely 
characterizes event bisimulation, it will not be able to test the presence of states like those 
in V in S2. This is due to the fact that the logic cannot test transitions bearing continuously 
many labels. This calls for adding structure to the set of labels on the NLMP. In any case, 
this would also be necessary for the definition of schedulers and probabilistic trace semantics. 

At the moment, we are indeed busy on the definition of NLMPs with labels equipped 
with a er-algebra, as well as on the study of schedulers for these objects and probabilistic 
trace semantics. This will allow us to contrast the two local behavioral equivalences, state 
and traditional bisimulation. It is expected that at least one of them implies a global 
behavioral equivalence, like probabilistic trace equality. Schedulers would also let us define 
probabilistic weak transitions and their related bisimulations. We are also busy on trying 
to refine the idea of event bisimulation and the logic so that they can distinguish situations 
like the one shown by NLMP S 2 . 

If necessary, we will restrict only to standard Borel spaces. Confining to standard Borel 
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spaces is not as restricting as it seems since most natural problems arise in this setting. For 
example, we have shown elsewhere that the underlying semantics of stochastic automata 
(D'Argenio 1999) in terms of NLMP meets most of the restrictions required in this article: it 
runs on standard Borcl spaces and it is image finite. Wc recall that stochastic automata and 
similar models are used to give semantics to stochastic process algebras and specification 
languages (D'Argenio 1999; Bravetti 2002; Bravetti and D'Argenio 2004; D'Argenio and 
Katoen 2005; Bohncnkamp ct al. 2006, etc.) which, in turn, are used to model dynamic 
systems. Moreover, LMP-like models restricted to standard Borel spaces have been studied 
by Doberkat (2007). 
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